Restrict network neighbourhood view

  • Thread starter Thread starter Tempo
  • Start date Start date
T

Tempo

Hello,

I would like to know if it is possible to use Group Policy
to restrict the computers that are seen in the Network
Neighbourhood to only computers that belong to ones OU.

If this is possible, please let me know how to do this.

Thanks.

Tempo.
 
Hey Tempo,

Unfortunately we're fighting with two different technologies here.
Machine seen in network neighborhood is a function of browsing, and that is
powered by NetBIOS. Policy is of course something new that controls the end
user experience and their rights. And, GP was created way after NetBIOS.

As such, you'll probably have trouble removing specific machines from
network neighborhood for specific users. Removing them altogether you could
probably do, but removing them for specific users might prove challenging.
There might be a crafty way of doing it, but I'd imagine it wouldn't be easy
nor would it be bullet proof, and a skilled user would probably be able to
get around it.

However, what I'd imagine is your end goal is certainly doable, just with a
different approach. The typical approach we'd use for something like this
would be:
1) Deny a users access to a machine. That is, use policy to control the
"access this computer from the network" right such that only some users are
able to access the machine in question (IE the machine you were trying to
remove from network neighborhood). You could put an explicit deny for
certain groups of users, or change it such that only some others can access
the computer. Then of course further ACL's on resources located on the
machine lock it down further.
2) Disable browsing altogether. Required? Of course not. But if this is a
critical step for you, you could disable browsing and subsequently require
that users "know" where there resources are.

Personally, I'm a fan of #1. I think that relying on a user not knowing the
name of a machine or how to reach it isn't the best move from a security
perspective. If they know it is there but have a policy blocking them from
reaching resources on it, that is far better IMHO.

Please do post back if you have further questions or thoughts.
~Eric
 
Eric,

Thanks so much for the info and suggestions.

My situation is as follows:
I have a Win2K Server with Active Directory on my network
but I am using workgroups (no domains) in my network.

Administrative work is virtually impossible with over 100
computers on my network.
I want to keep the workgroup groupings but do not want to
create a domain tree since this will require me to have
more than one server (DC) in my network.

What I was thinking of doing is having all the machines in
one domain, group them using AD and still give the users
the network association they had when using workgroups.

I do not want users to see over 100 computers at the same
place when browsing the network.

Can you help me please.

Thanks.

Tempo
 
Hmm a couple of questions based on what you said:
I have a Win2K Server with Active Directory on my network
but I am using workgroups (no domains) in my network.

If you have AD running you have a domain going by definition. That's what AD
does: it serves up domains.
Do the workstations believe they are part of a domain? On a 2000 or XP
workstation you could check by right clicking my computer, then checking the
network ID tab (that's the XP name, I forget the name of the tab in 2000).
It will say in there if you're in a domain or a workgroup.
I want to keep the workgroup groupings but do not want to
create a domain tree since this will require me to have
more than one server (DC) in my network.

Woah! That's not true. You can have a domain with one DC no problem. Is it
recommended? No, there's not as much redundancy, but there is nothign
stopping you from having a single DC domain. It's better to have a single DC
domain than no domain. Still ahead of the game if you ask me.
Administrative work is virtually impossible with over 100
computers on my network.

Yup, a domain would resolve this.

~Eric
 
Back
Top